6 years agoaesni: Implement a AES-NI based CTR crypter using the key schedule
Martin Willi [Thu, 26 Mar 2015 09:37:03 +0000 (10:37 +0100)]
aesni: Implement a AES-NI based CTR crypter using the key schedule

6 years agoaesni: Use 4-way parallel AES-NI instructions for CBC decryption
Martin Willi [Thu, 26 Mar 2015 07:34:00 +0000 (08:34 +0100)]
aesni: Use 4-way parallel AES-NI instructions for CBC decryption

CBC decryption can be parallelized, and we do so by queueing instructions
to the processor pipeline. While we have enough registers for 128-bit
decryption, the register count is insufficient to hold all variables with
larger key sizes. Nonetheless is 4-way parallelism faster, roughly by ~8%.

6 years agoaesni: Use separate en-/decryption CBC code paths for different key sizes
Martin Willi [Thu, 26 Mar 2015 07:31:00 +0000 (08:31 +0100)]
aesni: Use separate en-/decryption CBC code paths for different key sizes

This allows us to unroll loops, and use local (register) variables for the
key schedule. This improves performance slightly for encryption, but a lot
for reorderable decryption (>30%).

6 years agoaesni: Implement a AES-NI based CBC crypter using the key schedule
Martin Willi [Wed, 25 Mar 2015 16:30:58 +0000 (17:30 +0100)]
aesni: Implement a AES-NI based CBC crypter using the key schedule

6 years agoaesni: Implement 256-bit key schedule
Martin Willi [Thu, 26 Mar 2015 07:07:07 +0000 (08:07 +0100)]
aesni: Implement 256-bit key schedule

6 years agoaesni: Implement 192-bit key schedule
Martin Willi [Thu, 26 Mar 2015 07:05:58 +0000 (08:05 +0100)]
aesni: Implement 192-bit key schedule

6 years agoaesni: Implement 128-bit key schedule
Martin Willi [Thu, 26 Mar 2015 07:05:04 +0000 (08:05 +0100)]
aesni: Implement 128-bit key schedule

6 years agoaesni: Add a common key schedule class for AES
Martin Willi [Wed, 25 Mar 2015 13:31:24 +0000 (14:31 +0100)]
aesni: Add a common key schedule class for AES

6 years agoaesni: Provide a plugin stub for AES-NI instruction based crypto primitives
Martin Willi [Wed, 25 Mar 2015 12:27:39 +0000 (13:27 +0100)]
aesni: Provide a plugin stub for AES-NI instruction based crypto primitives

6 years agoutils: Provide an INIT_EXTRA() macro, that allocates extra data to INIT()
Martin Willi [Thu, 5 Jun 2014 13:57:18 +0000 (15:57 +0200)]
utils: Provide an INIT_EXTRA() macro, that allocates extra data to INIT()

6 years agotest-vectors: Add some self-made additional AES-GCM test vectors
Martin Willi [Tue, 31 Mar 2015 09:25:20 +0000 (11:25 +0200)]
test-vectors: Add some self-made additional AES-GCM test vectors

We missed test vectors for 192/256-bit key vectors for ICV8/12, and should
also have some for larger associated data chunk.

6 years agotest-vectors: Define some additional CCM test vectors
Martin Willi [Thu, 26 Mar 2015 16:44:46 +0000 (17:44 +0100)]
test-vectors: Define some additional CCM test vectors

We don't have any where plain or associated data is not a multiple of the block
size, but it is likely to find bugs here. Also, we miss some ICV12 test vectors
using 128- and 192-bit key sizes.

6 years agocrypto-tester: Use the plugin feature key size to benchmark crypters/aeads
Martin Willi [Thu, 26 Mar 2015 10:50:28 +0000 (11:50 +0100)]
crypto-tester: Use the plugin feature key size to benchmark crypters/aeads

We previously didn't pass the key size during algorithm registration, but this
resulted in benchmarking with the "default" key size the crypter uses when
passing 0 as key size.

6 years agocrypt-burn: Support burning signers
Martin Willi [Fri, 27 Mar 2015 13:02:08 +0000 (14:02 +0100)]
crypt-burn: Support burning signers

6 years agocrypt-burn: Add a encryption buffer command line argument
Martin Willi [Fri, 27 Mar 2015 09:25:01 +0000 (10:25 +0100)]
crypt-burn: Add a encryption buffer command line argument

6 years agocrypt-burn: Set a defined key, as some backends require that
Martin Willi [Fri, 27 Mar 2015 09:21:43 +0000 (10:21 +0100)]
crypt-burn: Set a defined key, as some backends require that

6 years agocrypt-burn: Refactor to separate burn methods
Martin Willi [Fri, 27 Mar 2015 09:21:20 +0000 (10:21 +0100)]
crypt-burn: Refactor to separate burn methods

6 years agocrypt-burn: Accept a PLUGINS env var to configure plugins to load
Martin Willi [Fri, 27 Mar 2015 09:00:49 +0000 (10:00 +0100)]
crypt-burn: Accept a PLUGINS env var to configure plugins to load

6 years agovici: Relicense libvici.h under MIT
Martin Willi [Tue, 14 Apr 2015 15:42:53 +0000 (17:42 +0200)]
vici: Relicense libvici.h under MIT

libvici currently relies on libstrongswan, and therefore is bound to the GPLv2.
But to allow alternatively licensed reimplementations without copyleft based
on the same interface, we liberate the header.

6 years agoutils: Define MAX_(U)INT_TYPE to the maximum size integer type available
Martin Willi [Thu, 19 Mar 2015 15:29:06 +0000 (16:29 +0100)]
utils: Define MAX_(U)INT_TYPE to the maximum size integer type available

6 years agoutils: Typedef int128_t and u_int128_t types if supported
Martin Willi [Thu, 19 Mar 2015 14:59:31 +0000 (15:59 +0100)]
utils: Typedef int128_t and u_int128_t types if supported

6 years agoconfigure: Check for __int128 type support
Martin Willi [Thu, 19 Mar 2015 14:58:59 +0000 (15:58 +0100)]
configure: Check for __int128 type support

6 years agoMerge branch 'const-memeq'
Martin Willi [Tue, 14 Apr 2015 09:57:17 +0000 (11:57 +0200)]
Merge branch 'const-memeq'

Introduce constant time memory comparing functions for cryptographic purposes,
and a tool to test such functions or crypto transforms relying on them.

6 years agoutils: Use chunk_equals_const() for all cryptographic purposes
Martin Willi [Sat, 11 Apr 2015 13:56:42 +0000 (15:56 +0200)]
utils: Use chunk_equals_const() for all cryptographic purposes

6 years agoutils: Add a constant time chunk_equals() variant for cryptographic purposes
Martin Willi [Sat, 11 Apr 2015 13:55:26 +0000 (15:55 +0200)]
utils: Add a constant time chunk_equals() variant for cryptographic purposes

6 years agoutils: Use memeq_const() for all cryptographic purposes
Martin Willi [Sat, 11 Apr 2015 13:25:21 +0000 (15:25 +0200)]
utils: Use memeq_const() for all cryptographic purposes

6 years agoutils: Add a constant time memeq() variant for cryptographic purposes
Martin Willi [Sat, 11 Apr 2015 14:44:18 +0000 (16:44 +0200)]
utils: Add a constant time memeq() variant for cryptographic purposes

6 years agoscripts: Add a tool that tries to guess MAC/ICV values using validation times
Martin Willi [Sat, 11 Apr 2015 12:59:22 +0000 (14:59 +0200)]
scripts: Add a tool that tries to guess MAC/ICV values using validation times

This tool shows that it is trivial to re-construct the value memcmp() compares
against by just measuring the time the non-time-constant memcmp() requires to

It also shows that even when running without any network latencies it gets
very difficult to reconstruct MAC/ICV values, as the time variances due to the
crypto routines are large enough that it gets difficult to measure the time
that memcmp() actually requires after computing the MAC.

However, the faster/time constant an algorithm is, the more likely is a
successful attack. When using AES-NI, it is possible to reconstruct (parts of)
a valid MAC with this tool, for example with AES-GCM.

While this is all theoretical, and way more difficult to exploit with network
jitter, it nonetheless shows that we should replace any use of memcmp/memeq()
with a constant-time alternative in all sensitive places.

6 years agoMerge branch 'cpu-features'
Martin Willi [Mon, 13 Apr 2015 13:18:47 +0000 (15:18 +0200)]
Merge branch 'cpu-features'

Centralize all uses of CPUID to a cpu_feature class, which in theory can support
optional features of non-x86/x64 as well using architecture specific code.

6 years agosqlite: Use our locking mechanism also when sqlite3_threadsafe() returns 0
Martin Willi [Fri, 10 Apr 2015 11:36:58 +0000 (13:36 +0200)]
sqlite: Use our locking mechanism also when sqlite3_threadsafe() returns 0

We previously checked for older library versions without locking support at
all. But newer libraries can be built in single-threading mode as well, where
we have to care about the locking.

6 years agordrand: Reuse CPU feature detection to check for RDRAND instructions
Martin Willi [Thu, 2 Apr 2015 12:08:25 +0000 (14:08 +0200)]
rdrand: Reuse CPU feature detection to check for RDRAND instructions

6 years agosqlite: Show SQLite library version and thread safety flag during startup
Martin Willi [Fri, 10 Apr 2015 11:36:26 +0000 (13:36 +0200)]
sqlite: Show SQLite library version and thread safety flag during startup

6 years agopadlock: Reuse common CPU feature detection to check for Padlock features
Martin Willi [Thu, 2 Apr 2015 12:05:39 +0000 (14:05 +0200)]
padlock: Reuse common CPU feature detection to check for Padlock features

6 years agocpu-feature: Support Via Padlock security features
Martin Willi [Thu, 2 Apr 2015 12:04:57 +0000 (14:04 +0200)]
cpu-feature: Support Via Padlock security features

6 years agocpu-feature: Add a common class to query available CPU features
Martin Willi [Thu, 2 Apr 2015 12:02:57 +0000 (14:02 +0200)]
cpu-feature: Add a common class to query available CPU features

Currently supported is x86/x64 via cpuid() for some common features.

6 years agovici: Defer read/write error reporting after connection entry has been released
Martin Willi [Thu, 2 Apr 2015 06:50:56 +0000 (08:50 +0200)]
vici: Defer read/write error reporting after connection entry has been released

If a vici client registered for (control-)log events, but a vici read/write
operation fails, this may result in a deadlock. The attempt to write to the
bus results in a vici log message, which in turn tries to acquire the lock
for the entry currently held.

While a recursive lock could help as well for a single thread, there is still
a risk of inter-thread races if there is more than one thread listening for
events and/or having read/write errors.

We instead log to a local buffer, and write to the bus not before the connection
entry has been released. Additionally, we mark the connection entry as unusable
to avoid writing to the failed socket again, potentially triggering an error

6 years agoaead: Create AEAD using traditional transforms with an explicit IV generator
Martin Willi [Tue, 31 Mar 2015 12:59:12 +0000 (14:59 +0200)]
aead: Create AEAD using traditional transforms with an explicit IV generator

Real AEADs directly provide a suitable IV generator, but traditional crypters
do not. For some (stream) ciphers, we should use sequential IVs, for which
we pass an appropriate generator to the AEAD wrapper.

6 years agoiv-gen: Add a generic constructor to create an IV gen from an algorithm
Martin Willi [Tue, 31 Mar 2015 12:58:17 +0000 (14:58 +0200)]
iv-gen: Add a generic constructor to create an IV gen from an algorithm

6 years agoopenssl: Don't pre-initialize OpenSSL HMAC with an empty key
Martin Willi [Mon, 30 Mar 2015 08:25:41 +0000 (10:25 +0200)]
openssl: Don't pre-initialize OpenSSL HMAC with an empty key

With OpenSSL commit 929b0d70c19f60227f89fac63f22a21f21950823 setting an empty
key fails if no previous key has been set on that HMAC.

In 9138f49e we explicitly added the check we remove now, as HMAC_Update()
might crash if HMAC_Init_ex() has not been called yet. To avoid that, we
set and check a flag locally to let any get_mac() call fail if set_key() has
not yet been called.

6 years agothread: Remove unneeded thread startup synchronization
Martin Willi [Fri, 27 Mar 2015 19:16:58 +0000 (20:16 +0100)]
thread: Remove unneeded thread startup synchronization

sem_init() is deprecated on OS X, and it actually fails with ENOSYS. Using our
wrapped semaphore object is not an option, as it relies on the thread cleanup
that we can't rely on at this stage.

It is unclear why startup synchronization is required, as we can allocate the
thread ID just before creating the pthread. There is a chance that we allocate
a thread ID for a thread that fails to create, but the risk and consequences
are negligible.

6 years agolibsimaka: Link against Winsock2 on Windows
Martin Willi [Mon, 30 Mar 2015 09:24:47 +0000 (11:24 +0200)]
libsimaka: Link against Winsock2 on Windows

The library makes use of htons/ntohs().

6 years agofips-prf: Remove superfluous <arpa/inet.h> include
Martin Willi [Mon, 30 Mar 2015 09:23:06 +0000 (11:23 +0200)]
fips-prf: Remove superfluous <arpa/inet.h> include

As we make no use of htonl() and friends, this is unneeded, but actually
prevents a Windows build.

6 years agokernel-netlink: Fix GCC error about uninitialized variable use
Martin Willi [Wed, 8 Apr 2015 09:13:04 +0000 (11:13 +0200)]
kernel-netlink: Fix GCC error about uninitialized variable use

get_replay_state() always returns a replay_state_len when returning a
replay state, but GCC doesn't know about that.

6 years agoasn1: Undefine TIME_UTC, which is used by C11
Martin Willi [Wed, 8 Apr 2015 06:47:31 +0000 (08:47 +0200)]
asn1: Undefine TIME_UTC, which is used by C11

When building with C11 support, TIME_UTC is used for timespec_get() and
defined in <time.h>. Undefine TIME_UTC for our own internal use in asn1.c.

6 years agoWipe auxiliary key store 5.3.0
Andreas Steffen [Sat, 28 Mar 2015 09:44:23 +0000 (10:44 +0100)]
Wipe auxiliary key store

6 years agocrypto-tester: Explicitly exclude FIPS-PRF from append mode tests
Martin Willi [Sat, 28 Mar 2015 07:38:52 +0000 (08:38 +0100)]
crypto-tester: Explicitly exclude FIPS-PRF from append mode tests

This was implicitly done by the seed length check before 58dda5d6, but we
now require an explicit check to avoid that unsupported use.

6 years agofips-prf: Fail when trying to use append mode on FIPS-PRF
Martin Willi [Sat, 28 Mar 2015 07:36:35 +0000 (08:36 +0100)]
fips-prf: Fail when trying to use append mode on FIPS-PRF

Append mode hardly makes sense for the special stateful FIPS-PRF, which is
different to other PRFs.

6 years agoAdded PB-TNC test options to strongswan.conf man page
Andreas Steffen [Fri, 27 Mar 2015 20:05:00 +0000 (21:05 +0100)]
Added PB-TNC test options to strongswan.conf man page

6 years agoAdded tnc/tnccs-20-fail-init and tnc/tnccs-20-fail-resp scenarios
Andreas Steffen [Fri, 27 Mar 2015 19:56:34 +0000 (20:56 +0100)]
Added tnc/tnccs-20-fail-init and tnc/tnccs-20-fail-resp scenarios

6 years agoVersion bump to 5.3.0
Andreas Steffen [Fri, 27 Mar 2015 19:55:48 +0000 (20:55 +0100)]
Version bump to 5.3.0

6 years agoFixed PB-TNC error handling
Andreas Steffen [Fri, 27 Mar 2015 13:39:56 +0000 (14:39 +0100)]
Fixed PB-TNC error handling

6 years agoAdded configurations for 3.18 and 3.19 KMV guest kernels
Andreas Steffen [Fri, 27 Mar 2015 10:36:34 +0000 (11:36 +0100)]
Added configurations for 3.18 and 3.19 KMV guest kernels

6 years agoFixed strongswan.conf man page entry of imc-attestation
Andreas Steffen [Fri, 27 Mar 2015 10:14:49 +0000 (11:14 +0100)]
Fixed strongswan.conf man page entry of imc-attestation

6 years agoAdded tnc/tnccs-20-pt-tls scenario
Andreas Steffen [Fri, 27 Mar 2015 09:56:50 +0000 (10:56 +0100)]
Added tnc/tnccs-20-pt-tls scenario

6 years agocmac: Reset state before doing set_key()
Martin Willi [Fri, 27 Mar 2015 15:07:53 +0000 (16:07 +0100)]
cmac: Reset state before doing set_key()

6 years agoaf-alg: Reset hmac/xcbc state before doing set_key()
Martin Willi [Fri, 27 Mar 2015 15:06:21 +0000 (16:06 +0100)]
af-alg: Reset hmac/xcbc state before doing set_key()

6 years agoxcbc: Reset XCBC state in set_key()
Martin Willi [Fri, 27 Mar 2015 14:51:52 +0000 (15:51 +0100)]
xcbc: Reset XCBC state in set_key()

If some partial data has been appended, a truncated key gets invalid if it
is calculated from the pending state.

6 years agohmac: Reset the underlying hasher before doing set_key() with longer keys
Martin Willi [Fri, 27 Mar 2015 14:48:29 +0000 (15:48 +0100)]
hmac: Reset the underlying hasher before doing set_key() with longer keys

The user might have done a non-complete append, having some state in the

Fixes #909.

6 years agocrypto-tester: Test set_key() after a doing a partial append on prf/signers
Martin Willi [Fri, 27 Mar 2015 14:46:24 +0000 (15:46 +0100)]
crypto-tester: Test set_key() after a doing a partial append on prf/signers

While that use is uncommon in real-world use, nonetheless should HMAC set a
correct key and reset any underlying hasher.

6 years agostroke: Properly parse bliss key strength in public key constraint
Tobias Brunner [Wed, 25 Mar 2015 12:27:15 +0000 (13:27 +0100)]
stroke: Properly parse bliss key strength in public key constraint

6 years agoeap-tnc: Free eap-tnc object if IKE_SA not found to get IPs
Tobias Brunner [Wed, 25 Mar 2015 12:24:37 +0000 (13:24 +0100)]
eap-tnc: Free eap-tnc object if IKE_SA not found to get IPs

6 years agotnccs-20: Fix error handling in build()
Tobias Brunner [Wed, 25 Mar 2015 12:23:14 +0000 (13:23 +0100)]
tnccs-20: Fix error handling in build()

6 years agoandroid: Add messages/ita directory to tnccs-20 plugin
Tobias Brunner [Wed, 25 Mar 2015 10:52:41 +0000 (11:52 +0100)]
android: Add messages/ita directory to tnccs-20 plugin

6 years agoandroid: Sync libstrongswan and
Tobias Brunner [Wed, 25 Mar 2015 10:40:04 +0000 (11:40 +0100)]
android: Sync libstrongswan and

6 years agolibtnccs: Set apidoc category to libtnccs and move plugins
Tobias Brunner [Wed, 25 Mar 2015 10:23:26 +0000 (11:23 +0100)]
libtnccs: Set apidoc category to libtnccs and move plugins

6 years agolibtnccs: Fix apidoc category for split IF-TNCCS 2.0 header files
Tobias Brunner [Wed, 25 Mar 2015 10:21:00 +0000 (11:21 +0100)]
libtnccs: Fix apidoc category for split IF-TNCCS 2.0 header files

Fixes 80322d2cee75 ("Split IF-TNCCS 2.0 protocol processing into
separate TNC client and server handlers").

6 years agoFixed some typos, courtesy of codespell
Tobias Brunner [Wed, 25 Mar 2015 09:59:36 +0000 (10:59 +0100)]
Fixed some typos, courtesy of codespell

6 years agokernel-netlink: Copy current usage stats to new SA in update_sa()
Tobias Brunner [Mon, 23 Mar 2015 17:37:48 +0000 (18:37 +0100)]
kernel-netlink: Copy current usage stats to new SA in update_sa()

This is needed to fix usage stats sent via RADIUS Accounting if clients
use MOBIKE or e.g. the kernel notifies us about a changed NAT mapping.
The upper layers won't expect the stats to get reset if only the IPs have
changed (and some kernel interface might actually allow such updates
without reset).

It also fixes traffic based lifetimes in such situations.

Fixes #799.

6 years agochild-sa: Add a new state to track rekeyed IKEv1 CHILD_SAs
Tobias Brunner [Tue, 24 Mar 2015 17:36:49 +0000 (18:36 +0100)]
child-sa: Add a new state to track rekeyed IKEv1 CHILD_SAs

This is needed to handle DELETEs properly, which was previously done via
CHILD_REKEYING, which we don't use anymore since 5c6a62ceb6 as it prevents

6 years agoikev1: Inverse check when applying received KE value during Quick Mode 5.3.0rc1
Martin Willi [Tue, 24 Mar 2015 08:37:38 +0000 (09:37 +0100)]
ikev1: Inverse check when applying received KE value during Quick Mode

Fixes Quick Mode negotiation when PFS is in use.

6 years agoVersion bump to 5.3.0rc1
Andreas Steffen [Mon, 23 Mar 2015 22:15:31 +0000 (23:15 +0100)]
Version bump to 5.3.0rc1

6 years agotesting: added tnc/tnccs-20-mutual scenario
Andreas Steffen [Mon, 23 Mar 2015 22:01:13 +0000 (23:01 +0100)]
testing: added tnc/tnccs-20-mutual scenario

6 years agoImplemented PB-TNC mutual half-duplex protocol
Andreas Steffen [Sun, 22 Mar 2015 00:07:31 +0000 (01:07 +0100)]
Implemented PB-TNC mutual half-duplex protocol

6 years agoOptionally announce PB-TNC mutual protocol capability
Andreas Steffen [Sat, 21 Mar 2015 11:30:24 +0000 (12:30 +0100)]
Optionally announce PB-TNC mutual protocol capability

6 years agoSplit IF-TNCCS 2.0 protocol processing into separate TNC client and server handlers
Andreas Steffen [Fri, 20 Mar 2015 21:01:46 +0000 (22:01 +0100)]
Split IF-TNCCS 2.0 protocol processing into separate TNC client and server handlers

6 years agoMerge branch 'dh-checks'
Martin Willi [Mon, 23 Mar 2015 16:54:20 +0000 (17:54 +0100)]
Merge branch 'dh-checks'

Extend the diffie-hellman interface by success return values, and do some
basic length checks for DH public values.

6 years agoencoding: Remove DH public value verification from KE payload
Martin Willi [Mon, 23 Mar 2015 13:34:11 +0000 (14:34 +0100)]
encoding: Remove DH public value verification from KE payload

This commit reverts 84738b1a and 2ed5f569.

As we have no DH group available in the KE payload for IKEv1, the verification
can't work in that stage. Instead, we now verify DH groups in the DH backends,
which works for any IKE version or any other purpose.

6 years agodiffie-hellman: Verify public DH values in backends
Martin Willi [Mon, 23 Mar 2015 13:32:11 +0000 (14:32 +0100)]
diffie-hellman: Verify public DH values in backends

6 years agodiffie-hellman: Add a bool return value to set_other_public_value()
Martin Willi [Mon, 23 Mar 2015 12:09:32 +0000 (13:09 +0100)]
diffie-hellman: Add a bool return value to set_other_public_value()

6 years agodiffie-hellman: Add a bool return value to get_my_public_value()
Martin Willi [Mon, 23 Mar 2015 10:37:27 +0000 (11:37 +0100)]
diffie-hellman: Add a bool return value to get_my_public_value()

6 years agolibimcv: Allow pts_t.set_peer_public_value() to fail
Martin Willi [Mon, 23 Mar 2015 10:28:57 +0000 (11:28 +0100)]
libimcv: Allow pts_t.set_peer_public_value() to fail

6 years agolibimcv: Allow pts_t.get_my_public_value() to fail
Martin Willi [Mon, 23 Mar 2015 10:25:37 +0000 (11:25 +0100)]
libimcv: Allow pts_t.get_my_public_value() to fail

6 years agoencoding: Allow ke_payload_create_from_diffie_hellman() to fail
Martin Willi [Mon, 23 Mar 2015 10:10:40 +0000 (11:10 +0100)]
encoding: Allow ke_payload_create_from_diffie_hellman() to fail

6 years agodiffie-hellman: Use bool instead of status_t as get_shared_secret() return value
Martin Willi [Mon, 23 Mar 2015 09:54:24 +0000 (10:54 +0100)]
diffie-hellman: Use bool instead of status_t as get_shared_secret() return value

While such a change is not unproblematic, keeping status_t makes the API
inconsistent once we introduce return values for the public value operations.

6 years agoload-tester: Migrate NULL DH implementation to INIT/METHOD macros
Martin Willi [Mon, 23 Mar 2015 09:44:55 +0000 (10:44 +0100)]
load-tester: Migrate NULL DH implementation to INIT/METHOD macros

6 years agoikev1: Make sure SPIs in an IKEv1 DELETE payload match the current SA
Tobias Brunner [Mon, 23 Mar 2015 09:58:30 +0000 (10:58 +0100)]
ikev1: Make sure SPIs in an IKEv1 DELETE payload match the current SA

OpenBSD's isakmpd uses the latest ISAKMP SA to delete other expired SAs.
This caused strongSwan to delete e.g. a rekeyed SA even though isakmpd
meant to delete the old one.

What isakmpd does might not be standard compliant. As RFC 2408 puts

  Deletion which is concerned with an ISAKMP SA will contain a
  Protocol-Id of ISAKMP and the SPIs are the initiator and responder
  cookies from the ISAKMP Header.

This could either be interpreted as "copy the SPIs from the ISAKMP
header of the current message to the DELETE payload" (which is what
strongSwan assumed, and the direction IKEv2 took it, by not sending SPIs
for IKE), or as clarification that ISAKMP "cookies" are actually the
SPIs meant to be put in the payload (but that any ISAKMP SA may be

6 years agoencoding: Add getter for IKE SPIs in IKEv1 DELETE payloads
Tobias Brunner [Mon, 23 Mar 2015 09:53:58 +0000 (10:53 +0100)]
encoding: Add getter for IKE SPIs in IKEv1 DELETE payloads

6 years agopki: Choose default digest based on the signature key
Tobias Brunner [Tue, 17 Mar 2015 13:40:02 +0000 (14:40 +0100)]
pki: Choose default digest based on the signature key

6 years agopki: Use SHA-256 as default for signatures
Tobias Brunner [Mon, 16 Mar 2015 17:25:22 +0000 (18:25 +0100)]
pki: Use SHA-256 as default for signatures

Since the BLISS private key supports this we don't do any special
handling anymore (if the user choses a digest that is not supported,
signing will simply fail later because no signature scheme will be found).

6 years agotrap-manager: Add option to ignore traffic selectors from acquire events
Tobias Brunner [Thu, 12 Mar 2015 10:50:20 +0000 (11:50 +0100)]
trap-manager: Add option to ignore traffic selectors from acquire events

The specific traffic selectors from the acquire events, which are derived
from the triggering packet, are usually prepended to those from the
config.  Some implementations might not be able to handle these properly.

References #860.

6 years agounit-tests: Fix settings test after merging multi-line strings
Tobias Brunner [Mon, 23 Mar 2015 09:46:32 +0000 (10:46 +0100)]
unit-tests: Fix settings test after merging multi-line strings

6 years agoswanctl: Append /ESN to proposal for a CHILD_SA using Extended Sequence Numbers
Martin Willi [Mon, 23 Mar 2015 09:12:06 +0000 (10:12 +0100)]
swanctl: Append /ESN to proposal for a CHILD_SA using Extended Sequence Numbers

We previously printed just the value for the "esn" keyword, which is "1", and
not helpful as such.

Fixes #904.

6 years agounit-tests: Depend on SHA1/SHA256 features for mgf1 test cases
Martin Willi [Mon, 23 Mar 2015 08:53:34 +0000 (09:53 +0100)]
unit-tests: Depend on SHA1/SHA256 features for mgf1 test cases

6 years agoman: More accurately describe features of the new parser in ipsec.conf(5)
Tobias Brunner [Thu, 19 Mar 2015 17:34:26 +0000 (18:34 +0100)]
man: More accurately describe features of the new parser in ipsec.conf(5)

6 years agosettings: Merge quoted strings that span multiple lines
Tobias Brunner [Thu, 19 Mar 2015 17:34:02 +0000 (18:34 +0100)]
settings: Merge quoted strings that span multiple lines

6 years agostarter: Merge quoted strings that span multiple lines
Tobias Brunner [Thu, 19 Mar 2015 17:33:19 +0000 (18:33 +0100)]
starter: Merge quoted strings that span multiple lines

6 years agoencoding: Don't verify length of IKEv1 KE payloads
Tobias Brunner [Fri, 20 Mar 2015 15:32:56 +0000 (16:32 +0100)]
encoding: Don't verify length of IKEv1 KE payloads

The verification introduced with 84738b1aed95 ("encoding: Verify the length
of KE payload data for known groups") can't be done for IKEv1 as the KE
payload does not contain the DH group.

6 years agocharon-systemd: Optionally load plugin list from charon-systemd.load
Tobias Brunner [Thu, 19 Mar 2015 15:19:24 +0000 (16:19 +0100)]
charon-systemd: Optionally load plugin list from charon-systemd.load

6 years agoapidoc: Limit INPUT to src subdirectory and
Martin Willi [Thu, 19 Mar 2015 11:17:03 +0000 (12:17 +0100)]
apidoc: Limit INPUT to src subdirectory and

While 0909bf6c explicitly includes the whole source tree (to cover,
this has the unpleasant side effect of covering a workspace under "testing"
with all its sources, or any other potential subdirectory that exists.

6 years agoutils: Fix enum_flags_to_string parameter name to match Doxygen description
Martin Willi [Thu, 19 Mar 2015 11:14:30 +0000 (12:14 +0100)]
utils: Fix enum_flags_to_string parameter name to match Doxygen description